Subscribe to our Threatpost Today newsletter

Join thousands of people who receive the latest breaking cybersecurity news every day.

The administrator of your personal data will be Threatpost, Inc., 500 Unicorn Park, Woburn, MA 01801. Detailed information on the processing of personal data can be found in the privacy policy. In addition, you will find them in the message confirming the subscription to the newsletter.

*

*

I agree to my personal data being stored and used to receive the newsletter

*

I agree to accept information and occasional commercial offers from Threatpost partners

The administrator of your personal data will be Threatpost, Inc., 500 Unicorn Park, Woburn, MA 01801. Detailed information on the processing of personal data can be found in the privacy policy. In addition, you will find them in the message confirming the subscription to the newsletter.

Spat Leads to Partial Leak of Rig Exploit Kit

A reseller of the Rig Exploit Kit has leaked some of the source code behind the pack after parting ways with the kit’s developer. Experts don’t expect a spike in Rig-based attacks.

A spitting match between developers of the Rig Exploit Kit and one of its resellers resulted in a partial leak of the kit’s source code in a hacker forum.

Rig is less than a year old and is spread primarily in malvertising campaigns, pushing Flash, Java and Microsoft Silverlight exploits; some versions also push ransomware.

Experts, however, aren’t sure this will give birth to a rash of campaigns centered on Rig.

“I do not think this will be really noticeable,” said French exploit kit researcher Kafeine, who found the leak being advertised on a hacker board. He said the main pushers of Rig do no operate on the same forum.

“Following this leak, the crooks might get cold feet and try to stay under the radar to elude law enforcement’s attention,” said a report posted yesterday by researchers at Trustwave SpiderLabs. “As a result we’d expect to see less activity. On the other hand, script kiddies may now use this source code to try and deploy their own infection schemes for quick and easy profit.”

A U.K. researcher known as MalwareTech said the leaker is likely a Rig Exploit Kit reseller who tried to scam potential buyers by charging prices 40 percent higher than “official” Rig sellers, as well as asking $3,000 for access to a private forum that did not exist, according to screenshots from his website.

“It seems like the RIG owner was less than pleased with the reseller’s antics because the next day, in a conversation with another member, the owner declared that he had suspended the reseller for attempting to scam customers, which isn’t surprising given he was requesting that people pay him $3000 for access to an imaginary private forum,” MalwareTech wrote on his website.

No honor among thieves.

Undaunted, the reseller took to Twitter creating an account that riffed on researchers from Malware Must Die. In a series of tweets, the reseller said he was in possession of Rig source code and a database dump; he also provided a download link. MalwareTech said the password-protected file was deleted after a couple dozen downloads. He said, however, that he confirmed the leak was legitimate with three other sources. The leak, however, is incomplete and it appears the reseller leaked only files he had access to, Trustwave SpiderLabs said.

“In addition to parts of the source code, the contents of the leak included a partial export of the server database,” Trustwave said. Its researchers thus had access to infection stats and saw only about 1,200 since the leak.

Authors

Threatpost

InfoSec Insider Post

InfoSec Insider content is written by a trusted community of Threatpost cybersecurity subject matter experts. Each contribution has a goal of bringing a unique voice to important cybersecurity topics. Content strives to be of the highest quality, objective and non-commercial.

Sponsored

Sponsored Post

Sponsored Content is paid for by an advertiser. Sponsored content is written and edited by members of our sponsor community. This content creates an opportunity for a sponsor to provide insight and commentary from their point-of-view directly to the Threatpost audience. The Threatpost editorial team does not participate in the writing or editing of Sponsored Content.